Input Sanitation: Who Left the Door Open?

The number one cause for security breaches on the Internet is the failure to sanitise user inputs. Of course, this seems rather obvious, as the open doors are where one attacks. Nevertheless, what does it mean?

Every year, when the end of December is coming up, the Dutch postal services lock up all mailboxes along the streets or fit them with smaller openings that only allow thin letters. This has to do with a fear of fireworks getting put in one of the mailboxes, resulting in damages and loss of mail. When I park my car and walk to the ticket machine, it requires me to enter coins. If I were to enter Pounds instead of Euros, it would return my coins, given that I did park somewhere in the Euro-zone. Furthermore, the machine would certainly not accept a large brick or a pair of socks as payment.

The discussed examples show what input sanitation is: preventing users to enter potentially harmful data. If the mailbox would accept fireworks, it would probably explode. If the ticket machine would accept toy coins, I would be parking rather cheaply. In both cases, the vendors prevented those attacks, by putting proper input sanitation in place.

When it comes down to input sanitation, web applications are not any different. They also require proper input sanitation. Actually, they do even more, because the Internet allows for all sorts of attack automation, which makes it a lot easier.

So, How does it Work?Web applications allow you to enter all sorts of data. Maybe you enter text in a form or you upload an image: the possibilities are numerous. As with mailboxes and vending machines, you may try to enter something that should not be allowed in at all.

Behind all those nice forms and buttons lies an application, a piece of software that makes the website tick. Like the inside of a vending machine contains a lot of small components that measure the dimensions and weight of an entered coin, the website figures out what it should do with your input. For example, it saves it somewhere, in order to display your fresh status update to all your friends.

Now, imagine a locksmith. He is able to fiddle with a lock picking set to open up a lock. Thereby, he basically breaks the input sanitation of the lock and is able to enter a set of iron sticks successfully, instead of a key. Web applications tend to have comparable vulnerabilities. For example, one is able to enter a special command, which causes the processing of the entered data to go a different direction. A direction where the attacker decides what happens, and not the owner of the web application.

Coping is Often Easy, but Never Perfect
What often surprises security experts is that most attacks are not the beautiful well-thought-through attacks from the movies. No, in practice, most attacks are baffling simple. Of course, it is very hard to find all those flaws, but it never ceases to amaze me how little effort it takes to break most websites. Please note that this probably does not concern your internet banking website or your favourite search engine, but may concern one of the smaller web-shops you visit.

It is often possible to place good input sanitation measures in place, such as the smaller slot on the mailbox. Nevertheless, perfect security does not exist and will never exist. If I really want to, I would probably find a way to blow up your mailbox. Security is about making this so hard that it is not worth the effort, which is why banking security is so much harder than securing the website of your aunt.

Ode to the Bouncer
In most bars and clubs, a bouncer keeps out those people that are way to drunk or want to sell drugs on the dance floor. Such a bouncer looks for suspicious patterns and unusual behaviour in the stream of people entering the club.

An interesting means of securing your web application is by getting your own bouncer. In this case, he is called an Intrusion Detection System, but he does the same thing. He will fetch the manager when strange things start to happen and he will throw out anyone that wants to break havoc in your system.

Input Sanitation: Please Close the DoorEventually, input sanitation boils down to closing unwanted doors and cleaning or refusing potential harmful user input. Every web application should have good input sanitation in place, as it still is the most important cause of errors. So, dear developers, please close the door after you finish programming.